An ongoing malicious spam campaign is impersonating U.K’s O2 mobile carrier, in an attempt to trick its customers into executing a fake ‘MMS message” attachment found in the emails. Once socially engineered users do so, their PCs automatically join the botnet operated by the cybercriminal/gang of cybercriminals whose activities we continue to monitor.

It then creates the following Mutexes:3161B74B4743E1643757A7220636106970144646Global\{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004Local\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}Local\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}Local\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}Local\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}Local\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}Local\{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}Global\{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}Global\{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}Global\{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}Global\{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}Global\{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}Global\{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}Global\{5C56C404-F465-A7BB-11EB-B06D3016937F}Global\{5C56C404-F465-A7BB-75EA-B06D5417937F}Global\{5C56C404-F465-A7BB-4DE9-B06D6C14937F}Global\{5C56C404-F465-A7BB-65E9-B06D4414937F}Global\{5C56C404-F465-A7BB-89E9-B06DA814937F}Global\{5C56C404-F465-A7BB-BDE9-B06D9C14937F}Global\{5C56C404-F465-A7BB-51E8-B06D7015937F}Global\{5C56C404-F465-A7BB-81E8-B06DA015937F}Global\{5C56C404-F465-A7BB-FDE8-B06DDC15937F}Global\{5C56C404-F465-A7BB-0DEF-B06D2C12937F}Global\{5C56C404-F465-A7BB-5DEF-B06D7C12937F}Global\{5C56C404-F465-A7BB-95EE-B06DB413937F}Global\{5C56C404-F465-A7BB-F1EE-B06DD013937F}Global\{5C56C404-F465-A7BB-89EB-B06DA816937F}Global\{5C56C404-F465-A7BB-F9EF-B06DD812937F}Global\{5C56C404-F465-A7BB-E5EF-B06DC412937F}Global\{5C56C404-F465-A7BB-0DEE-B06D2C13937F}Global\{5C56C404-F465-A7BB-09ED-B06D2810937F}Global\{5C56C404-F465-A7BB-51EF-B06D7012937F}Global\{5C56C404-F465-A7BB-35EC-B06D1411937F}Global\{5C56C404-F465-A7BB-85EC-B06DA411937F}Global\{5C56C404-F465-A7BB-FDEF-B06DDC12937F}Global\{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}MPSWabDataAccessMutexMPSWABOlkStoreNotifyMutex

And phones back to the following C&C servers:hxxp://62.76.187.147/nsmp/og/index.phphxxp://62.76.187.113/par/22.exe62.76.187.14762.76.187.11388.68.122.7470.169.168.3750.65.158.699.146.98.160189.242.35.122108.74.172.39108.210.219.21899.0.126.10090.156.118.144178.238.233.2968.22.158.150184.39.153.17266.63.204.26217.114.113.14876.226.134.206203.45.203.83130.251.186.103213.123.186.17369.115.119.22775.1.200.20177.53.215.241108.245.72.13171.85.110.76217.41.24.3768.45.158.241182.52.92.5081.130.84.7888.242.132.171188.129.147.6731.192.45.6568.117.10.58

Related malicious MD5s known to have phoned back to the same C&C IP (62.76.187.113) :MD5: 27da5e0800d937f03c5fbdff8aeb52c3MD5: 83ab87dba8600e5f6eabad30c6c83a89MD5: 8c8d43c8cfacf6d5c04e6f6ac7d4ff54